Ukrainian organizations have emerged as targets of a new campaign likely orchestrated by Russian-linked threat actors, according to a report from S2 Grupo’s LAB52 threat intelligence team.
This campaign, observed in February 2026, is assessed as a duplicate of a previous campaign launched by Laundry Bear (also known as UAC-0190 or Void Blizzard) targeting the Ukrainian Armed Forces using a malware family known as PLUGGYAPE.
The campaign “deploys a JavaScript-based backdoor executed through the Edge browser using a variety of judicial and philanthropic-themed lures,” the cybersecurity firm said. The malware, codenamed DRILLAPP, can upload and download files, use the microphone, and capture images via a webcam using the capabilities of a web browser.
Two different versions of this campaign have been observed, with the first iteration detected in early February by using a Windows shortcut (LNK) file to create an HTML application (HTA) in a temporary folder and load a remote script hosted on Pastefy, a legitimate paste service.
To establish persistence, the LNK file is copied to the Windows startup folder so that it starts automatically after the system restarts. The attack chain then displays a URL containing a decoy related to the installation of a Ukrainian charity named Starlink or Come Back Alive Foundation.
The HTML file is ultimately run in headless mode through the Microsoft Edge browser and loads a remote obfuscated script hosted on Pastefy.
The browser runs with additional parameters such as -no-sandbox, -disable-web-security, -allow-file-access-from-files, -use-fake-ui-for-media-stream, -auto-select-screen-capture-source=true, and -disable-user-media-security to allow access to the local file system, camera, microphone, and screen capture without requiring user interaction.
This artifact essentially acts as a lightweight backdoor, facilitating access to the file system and capturing audio from the microphone, video from the camera, and images of the device’s screen through the browser. It also generates a device fingerprint on the first run using a technique called canvas fingerprinting, and uses Pastefy as a dead drop resolver to retrieve the WebSocket URL used for command-and-control (C2) communication.
The malware sends the device’s fingerprint data along with the victim’s country determined from the machine’s time zone. Specifically, check if the time zone corresponds to the United Kingdom, Russia, Germany, France, China, Japan, United States, Brazil, India, Ukraine, Canada, Australia, Italy, Spain, and Poland. If not, it will default to the US
The second version of this campaign, discovered in late February 2026, bypasses the Windows Control Panel module LNK files while leaving the infection sequence largely intact. Another notable change involves the backdoor itself, which has been upgraded to allow recursive file enumeration, batch file uploads, and arbitrary file downloads.
LAB52 said, “For security reasons, JavaScript does not allow remote downloading of files.” “This is why attackers use the Chrome DevTools Protocol (CDP). CDP is an internal protocol in Chromium-based browsers that can only be used when the -remote-debugging-port parameter is enabled.”
This backdoor is still believed to be in the early stages of development. The initial variant of the malware, detected on January 28, 2026, was observed to only communicate with the domain ‘gnome’.[.].com instead of downloading the primary payload from Pastey.
“One of the most notable aspects is the use of browsers to deploy backdoors, which suggests that attackers are seeking new ways to evade detection,” the Spanish security vendor said.
“Browsers are advantageous for this type of activity because they are common and generally suspicious processes, provide extensions that can be accessed through debugging parameters that allow unsafe actions such as downloading remote files, and can provide legitimate access to sensitive resources such as microphones, cameras, and screen recordings without immediate warning.”
Source link
